redline | 27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96

Analysis

max time kernel
96s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

perm.exe
Size

4.6MB
MD5

cd15473be3b87cf2f089fe3a652d0d08
SHA1

5fecdc548d7c9e134940509d4b002dd36deda1ef
SHA256

27088c28c0f31bf50d35890675acb14a9da0b2bf574a03c79040e640bd1fbe96
SHA512

cdd2f2dbc59942999082bd62bd869b66bf80b525d7b7244cb6527540bb288a50844f6d078f21c319d6888d02efca5a73ed054c16a544958ef40e215a54336477
SSDEEP

98304:1d7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6KM:u+y4ihkl/Wo/afHP9

Score

10^/10

redline sectoprat xworm discovery evasion infostealer rat trojan

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-3-0x0000000004D00000-0x0000000004D94000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-3-0x0000000004D00000-0x0000000004D94000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/2756-3-0x0000000004D00000-0x0000000004D94000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	perm.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	perm.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	perm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	perm.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	perm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	perm.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4828	taskkill.exe
1316	taskkill.exe
2192	taskkill.exe
3616	taskkill.exe
1480	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2756	perm.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe
Token: SeIncBasePriorityPrivilege	2756	perm.exe
Token: 33	2756	perm.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3172	2756	perm.exe	84
PID 2756 wrote to memory of 3172	2756	perm.exe	84
PID 2756 wrote to memory of 3172	2756	perm.exe	84
PID 3172 wrote to memory of 2192	3172	cmd.exe	86
PID 3172 wrote to memory of 2192	3172	cmd.exe	86
PID 3172 wrote to memory of 2192	3172	cmd.exe	86
PID 2756 wrote to memory of 3976	2756	perm.exe	87
PID 2756 wrote to memory of 3976	2756	perm.exe	87
PID 2756 wrote to memory of 3976	2756	perm.exe	87
PID 3976 wrote to memory of 3616	3976	cmd.exe	89
PID 3976 wrote to memory of 3616	3976	cmd.exe	89
PID 3976 wrote to memory of 3616	3976	cmd.exe	89
PID 2756 wrote to memory of 5036	2756	perm.exe	90
PID 2756 wrote to memory of 5036	2756	perm.exe	90
PID 2756 wrote to memory of 5036	2756	perm.exe	90
PID 5036 wrote to memory of 1480	5036	cmd.exe	92
PID 5036 wrote to memory of 1480	5036	cmd.exe	92
PID 5036 wrote to memory of 1480	5036	cmd.exe	92
PID 2756 wrote to memory of 2284	2756	perm.exe	93
PID 2756 wrote to memory of 2284	2756	perm.exe	93
PID 2756 wrote to memory of 2284	2756	perm.exe	93
PID 2284 wrote to memory of 4828	2284	cmd.exe	95
PID 2284 wrote to memory of 4828	2284	cmd.exe	95
PID 2284 wrote to memory of 4828	2284	cmd.exe	95
PID 2756 wrote to memory of 2044	2756	perm.exe	96
PID 2756 wrote to memory of 2044	2756	perm.exe	96
PID 2756 wrote to memory of 2044	2756	perm.exe	96
PID 2044 wrote to memory of 1316	2044	cmd.exe	98
PID 2044 wrote to memory of 1316	2044	cmd.exe	98
PID 2044 wrote to memory of 1316	2044	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\perm.exe
"C:\Users\Admin\AppData\Local\Temp\perm.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerUI.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im HTTPDebuggerSvc.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Ida64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Ida64.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im OllyDbg.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im OllyDbg.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c taskkill /f /im Dbg64.exe >nul 2>&1
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Dbg64.exe
    3⤵
    - Kills process with taskkill
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2756-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/2756-1-0x00000000000A0000-0x000000000053E000-memory.dmp

Filesize
4.6MB

Download
memory/2756-2-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2756-3-0x0000000004D00000-0x0000000004D94000-memory.dmp

Filesize
592KB

Download
memory/2756-4-0x0000000005660000-0x0000000005C04000-memory.dmp

Filesize
5.6MB

Download
memory/2756-5-0x0000000005120000-0x0000000005186000-memory.dmp

Filesize
408KB

Download
memory/2756-6-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/2756-7-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download